VeriSign Urged to Lose SiteFinder

A panel of experts from the Internet Corporation for Assigned Names and
Numbers (ICANN) said VeriSign moved too soon with its controversial
SiteFinder service and recommends it never be used in the public realm
again.

The report, “Redirection in the Com and Net Domains,” released
over the weekend by the Security and Stability Advisory Committee (SSAC)
finds VeriSign’s marketing endeavor, SiteFinder,
violated fundamental architectural principles and well-established codes of
conduct within the Internet community.

In September 2003, VeriSign, managers of the .com and .net registry (a
directory of the domains and owners of every Web address within those
top-level domains), started redirecting Web users who typed in an incorrect
or unused Web site or e-mail address to a paid advertising page,
SiteFinder.com, rather than returning the industry standard RCODE3 “name
error” code.

Introducing a DNS “wildcard” for incorrect addresses into the
mix had the side effect
of “legitimizing” every e-mail address sent, which snarled the scripts in
many spam-blocking applications around the world. Many anti-spam filters
were predicated on the fact that bogus e-mail addresses were spam.
Administrators scrambled to adjust their scripts to
accommodate the unforeseen change.

Registrars, ISPs and network administrators alike
cried foul, saying
the service was an improper use of VeriSign’s management of the world’s two
largest top-level domains (TLDs).

VeriSign, at the
time
and today, insist the SiteFinder service is a benefit for end users
who typed an incorrect Web site address or e-mail address. At ICANN’s
insistence, VeriSign suspended the service October 4, 2003, pending the
results of the SSAC report, which was originally due for publication in
January.

The committee found that VeriSign “did not have network-shattering effects”
but “violated fundamental Internet engineering principles by blurring the
well-defined boundary between architectural layers,” the report stated.

The SSAC’s biggest complaints are two-fold: that VeriSign arbitrarily
introduced changes to the DNS and that it made the change without telling
anyone about it first. ICANN’s first indication of the launch September
15, 2003, came from media reports announcing SiteFinder as a revenue-generating service.

“Such reportage in the largely mainstream press hardly conforms to the
process of review and comment to which the Internet technical community is
accustomed within the framework of the Internet Engineering Task Force
(IETF),” the report stated.

The SSAC, formed in the wake of Sept. 11, 2001, to find ways to ensure the
safety and stability of the Internet came up with four recommendations:

  • Synthesized responses should not be introduced into TLDs or zones that
    serve the public.
  • The use of these synthesized responses should be phased out of any TLDs
    or public zones where they exist today.
  • Clarification of the Request for Comments (RFC) specifications at the
    IETF regarding synthesized responses in the DNS protocols.
  • Future changes at VeriSign should take place only after a “substantial
    period” of notice, testing and coordination.

Brian O’Shaughnessy, VeriSign director of corporate communications, said
they expected the report’s findings to rule against the registry.

“We are not surprised by the outcome, because key members of the ICANN
committee indicated that they were against the SiteFinder service even prior
to holding hearings,” he said in a statement. “We are surprised, however,
that after nine months of review, they still haven’t provided data to
back up their claims.”

VeriSign is in the middle of a protracted legal battle with ICANN over the
SiteFinder service and other programs instituted by the registry to make
money.

In February, the company filed a
lawsuit
against the Internet-governing body on seven counts, including the delay
and suspension of the SiteFinder service.

Officials feel ICANN has overstepped its boundaries as a technical body
ensuring the safety and security of the Internet, as mandated by its
memorandum of understanding (MOU) with the Department of Commerce (DoC), and
is dictating policy, which isn’t in its charter.

A judge recently dismissed
the antitrust claim in the suit but kept the other six charges
alive. VeriSign officials had no comment on the SSAC report’s effect to its
current lawsuit.

News Around the Web